Bitlocker Encryption Error Code Add-TpmProtectorInternal : Die Daten sind unzulässig. (Ausnahme von HRESULT: 0x8007000D)

Roots, Robert 0 Reputation points
2026-07-02T09:43:30.93+00:00

Hello Everybody,

For weeks now, I have been trying to solve a problem regarding an error code that appears when trying to enable BitLocker. The error code is 0x8007000D – The data is invalid. I have not found any articles that address this exact problem.

The main reason why I got this task is that all of our devices are currently being integrated into Intune, and my responsibility is to troubleshoot everything that shows up as non-compliant in the Intune portal. This device is the only one for which I have not been able to resolve the issue so far.

I have found dozens of articles about similar problems, and on YouTube I found troubleshooting videos regarding the exact same error code (0x8007000D), some of which mention that it can affect BitLocker. However, nothing I have tried so far has made any difference.

Okay, I will now list all the troubleshooting steps I have tried so far:

The first time I encountered this error, I simply opened tpm.msc, cleared the TPM, restarted the device, and tried to encrypt it again.

The same error message appeared.

In PowerShell (running as Administrator), I used Clear-Tpm and, after a restart, Initialize-Tpm. The same error message appeared again.

I then tried enabling BitLocker manually via PowerShell using manage-bde on drive C: and also with:

Enable-BitLocker -MountPoint "C:"

Both attempts resulted in the same error message:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

Sorry, our systems are configured in German. The message simply means:

UseAdvancedStartup    REG_DWORD    0x1

UseTPM                REG_DWORD    0x1

Next, I checked the Group Policy-related registry settings:

UseAdvancedStartup    REG_DWORD    0x0

UseTPM                REG_DWORD    0x0

EnableBDEWithNoTPM    REG_DWORD    0x1

After running gpupdate /force and restarting the PC, I tried enabling BitLocker again, but of course I got the same error message.

I also repeated the procedure while the device was disconnected from our network because I suspected that Intune policies might have been overwriting my changes. However, the same error message still appeared.

I then ran:

sfc /scannow

DISM /Online /Cleanup-Image /RestoreHealth

After that, I set the registry values again to:

UseAdvancedStartup    REG_DWORD    0x0

UseTPM                REG_DWORD    0x0

EnableBDEWithNoTPM    REG_DWORD    0x1

while the device was still disconnected from the network. Once again, this resulted in the same error code.

I always tried enabling BitLocker manually using:

manage-bde -on C: -skipHardwareTest

I also performed the following steps:

net stop wuauserv

net stop cryptSvc

net stop bits

net stop msiserver

ren %systemroot%\SoftwareDistribution SoftwareDistribution.bak

ren %systemroot%\system32\catroot2 catroot2.bak

net start wuauserv

net start cryptSvc

net start bits

net start msiserver

After restarting the device and checking for updates, one new update was found. Following installation and another restart, a notification appeared stating:

For the New Firmware to uwe TPM , Device must be restarted.

However, after another restart and another attempt to enable BitLocker, it still resulted in the same error message.

I also performed an in-place upgrade, but it made no difference.

As mentioned earlier, I found several YouTube videos regarding the same error code. I also found a script called:

Fix-The_data_is_invalid-0x8007000D

Unfortunately, I am not able to upload it as an attachment here.

I executed the script step by step, but of course I still received the same error code afterward.

Here is a link to the script:

https://vmtechs.com/how-to-fix-0x8007000d-data-is-invalid-error-windows-11-10/

I would be very grateful for any suggestions or additional troubleshooting ideas.

To be completely honest, everything I wrote here is based on what I remember trying over the past weeks. I have been working on this problem for a long time, but I often had to focus on other tasks that came up. Additionally, I am sometimes in vocational school for two weeks at a time and cannot access work-related systems because I do not have a company laptop.

Thank you in advance for any help.

Microsoft Security | Intune | Configuration
0 comments No comments

1 answer

Sort by: Most helpful
  1. AI answer

    2026-07-02T09:44:02.4433333+00:00

    The error 0x8007000D – The data is invalid when BitLocker is enabled via Intune almost always indicates an underlying TPM or BitLocker policy/configuration problem on the client. Based on the steps already taken, further troubleshooting should focus on verifying TPM health, BitLocker policy coming from Intune, and WinRE/BitLocker prerequisites on that specific device.

    Use the following checks on the affected device:

    1. Verify TPM health and readiness
      • Run tpm.msc and confirm that the TPM is present, enabled, and not in an unhealthy state.
      • Open an elevated PowerShell window and run:
             get-tpm
        
        All key properties (such as TpmPresent, TpmReady, ManagedAuthLevel) must be True for BitLocker to use the TPM. If any are False, BitLocker will fail until the TPM is present, ready, enabled, activated, and owned.
    2. Check for TPM-related errors in Event Viewer
      Hardware or firmware issues with the TPM can surface as generic BitLocker failures:
      • Open Event ViewerWindows LogsSystem.
      • Filter on event sources TPMProvisioningService and TPM-WMI.
      • Any repeated errors here indicate a TPM provisioning or firmware problem that must be resolved (often with OEM firmware/BIOS updates) before BitLocker will succeed.
    3. Confirm WinRE (Windows Recovery Environment) is enabled
      WinRE is a prerequisite for certain BitLocker scenarios (especially silent/automatic encryption via Intune):
      • Run an elevated Command Prompt and execute:
             reagentc /info
        
      • If the WinRE status is Disabled, enable it:
             reagentc /enable
        
      • After enabling, retry BitLocker encryption.
    4. Check BitLocker status directly on the device
      Use manage-bde to confirm current encryption state and whether BitLocker is partially configured:
      • Run an elevated Command Prompt:
             manage-bde -status
        
      • Verify that the OS volume is not in a partially encrypted or error state. If it is, clear any existing protectors and attempt a fresh configuration after TPM/WinRE issues are resolved.
    5. Inspect BitLocker policy as received from Intune
      Because this device is managed by Intune, confirm that the BitLocker CSP settings applied to it are valid for its OS build and edition:
      • Generate an MDM Diagnostics Report (stored under C:\Users\Public\Documents\MDMDiagnostics) and review the BitLocker CSP section to see which settings are actually applied.
      • Pay particular attention to:
        • OS build and edition support for the configured CSP settings (for example, many BitLocker CSP settings were introduced in Windows 10, version 1703 and later, and some only work on specific editions).
        • Whether the policy requires a healthy TPM (for example, UseTPM, UseTPMKey, UseTPMKeyPIN) on a device where the TPM is missing or unhealthy. Configuring a policy that requires TPM when the TPM is not healthy is a common cause of BitLocker failures.
    6. Validate BitLocker policy in the registry
      Confirm that the BitLocker policy settings picked up by the MDM agent match what is expected:
      • Open regedit and navigate to:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker
      • Identify the GUID under PolicyManager\Providers<GUID>\default\Device\BitLocker and review the effective BitLocker policy values (for example, EncryptionMethodWithXtsOs, UseTPM, OSActiveDirectoryBackup, etc.).
      • Compare these with the main BitLocker policy key:
        HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
      • Ensure the settings are consistent and supported by the OS version.
    7. Review BitLocker-API logs for more specific error context
      On Intune-managed devices, BitLocker failures are logged in BitLocker-API:
      • Open Event ViewerApplications and Services LogsMicrosoftWindowsBitLocker-APIManagement and Operations.
      • Look for events around the time BitLocker was attempted (for example, Event IDs 851, 853, 854, 846, 778). These may indicate missing TPM, WinRE not configured, BIOS/firmware issues, or conflicting recovery policies.
      • Use those specific event messages to guide remediation (for example, enabling WinRE, updating BIOS, or adjusting recovery options policies).
    8. Check Task Scheduler for BitLocker MDM policy refresh
      If Intune policy is present but encryption never properly starts, verify the scheduled task:
      • In Event ViewerApplications and Services LogsMicrosoftWindowsTaskSchedulerOperational (enable this log if it is disabled).
      • Confirm that the BitLocker MDM policy refresh task runs successfully when the device syncs with Intune. Failures here can prevent BitLocker from starting even if policy appears correct.
    9. If TPM is locked (dictionary attack protection)
      If BitLocker-API or TPM logs show messages like “The TPM is defending against dictionary attacks and is in a time-out period”, reset and clear the TPM using the documented script rather than repeated manual clears:
      • Run elevated PowerShell:
             $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
             $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
             if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
        
      • Restart, confirm the TPM clear when prompted, then sign in and retry BitLocker.
      • Be aware that resetting and clearing the TPM can cause data loss if existing keys depend on it.
    10. Escalate with device-specific details if logs show no clear cause
      If, after these checks, BitLocker still fails with 0x8007000D and BitLocker-API/TPM logs do not provide a clear error, collect:
      • MDM Diagnostics Report (including BitLocker CSP section).
      • System and BitLocker-API event logs around the failure.
      • TPM status (get-tpm output and TPM event logs).
        These artifacts can then be used with Microsoft support to investigate any underlying OS or Intune service-side issues for that specific device.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.